Overview

overview

10

Static

static

8

86749c5913...3b.exe

windows7-x64

10

86749c5913...3b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 19:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86749c59137ad592187e0486ba87f5f5a7479dc0100ac7b1945b6de95d460c3b.exe

  • Size

    255KB

  • MD5

    4508e3462ab57f779f193428976ba116

  • SHA1

    e7198fe50c68ec2269d4e74894d6e2ec4b8f46a3

  • SHA256

    86749c59137ad592187e0486ba87f5f5a7479dc0100ac7b1945b6de95d460c3b

  • SHA512

    2dac2e0837da9e9a10979444eb520d2a4f4f642070b2c37233c077a9ebfca85666ef3d0b2cf357e416859f1ddf4e5ed23680b4d6c726545c9c0d212a6ed2ffce

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJh:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIE

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86749c59137ad592187e0486ba87f5f5a7479dc0100ac7b1945b6de95d460c3b.exe
    "C:\Users\Admin\AppData\Local\Temp\86749c59137ad592187e0486ba87f5f5a7479dc0100ac7b1945b6de95d460c3b.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\SysWOW64\gadeaifqcj.exe
      gadeaifqcj.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\SysWOW64\hyjdyjzs.exe
        C:\Windows\system32\hyjdyjzs.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2904
    • C:\Windows\SysWOW64\qmiilncdqrfegfu.exe
      qmiilncdqrfegfu.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2008
    • C:\Windows\SysWOW64\hyjdyjzs.exe
      hyjdyjzs.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:540
    • C:\Windows\SysWOW64\fmwvbfofxpgna.exe
      fmwvbfofxpgna.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1748
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3920

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    9584b475cef253e0b8d87f97b8202aea

    SHA1

    a4670d9e6e2fbf2e78a613310651fef40717c3f0

    SHA256

    887607f48aa0b41e7c6e3dc2664c4ca429fc7e719270cf7de404809db2c39ec1

    SHA512

    337f7f64f36f5e7464705e72195e3324016f8650b49589f788c02710ca1dd693d3ccef48422f4d9afc3cf3671d97cc492dd9ee95aab46b591ff333d6f4659448

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    a6d5fa2d4664bd76d7e903f32a687f87

    SHA1

    96b77590648ff6fbbfcaf32ff4c134b43cffb788

    SHA256

    45fe5ad27700480664d77a251318b3dec1b850627572c3d4f3090e0ef2f0f058

    SHA512

    9b2d6d266b4aba58234afafd08ba2de190f9689d78d73d2e01006ea5c11ad48a942378c4facb88b71c441e2b53e29dad89804f00f6bacb927683df62110b881d

    Download Submit

  • C:\Windows\SysWOW64\fmwvbfofxpgna.exe
    Filesize

    255KB

    MD5

    0e2ce57d6cc69def134e2bbaf828dbad

    SHA1

    474d332e26d2e36da4e7f31a770f656985479ae2

    SHA256

    ba9e454ee00d3a5ad021a5d9d76101373752d7ef7f4909f531a52b5c9b106a00

    SHA512

    94e04b1dac6d3ac575611c93c6ee1920285d31750165afdf42ee3cef8ae12d3864cd09e62a4771950d13b47a6e2c348782d709779485a8118770100f6c0629f0

    Download Submit

  • C:\Windows\SysWOW64\fmwvbfofxpgna.exe
    Filesize

    255KB

    MD5

    0e2ce57d6cc69def134e2bbaf828dbad

    SHA1

    474d332e26d2e36da4e7f31a770f656985479ae2

    SHA256

    ba9e454ee00d3a5ad021a5d9d76101373752d7ef7f4909f531a52b5c9b106a00

    SHA512

    94e04b1dac6d3ac575611c93c6ee1920285d31750165afdf42ee3cef8ae12d3864cd09e62a4771950d13b47a6e2c348782d709779485a8118770100f6c0629f0

    Download Submit

  • C:\Windows\SysWOW64\gadeaifqcj.exe
    Filesize

    255KB

    MD5

    2b5d273a71023e4fef4a1101f9d90519

    SHA1

    a2127ac67443fc4329388751d81d36da257668ea

    SHA256

    c4337a365cde7bb5553ce4e1dbdaae734411eb918318c6df5c6222871a828b0b

    SHA512

    f8a3d2385b9565123ca7dd0b0dd377a401c4d3a0e6199ca0a154413efd76b6c8650361e92318fe341993b227ab096f5b938dd9d296dd6133eea1d6abbe959fe0

    Download Submit

  • C:\Windows\SysWOW64\gadeaifqcj.exe
    Filesize

    255KB

    MD5

    2b5d273a71023e4fef4a1101f9d90519

    SHA1

    a2127ac67443fc4329388751d81d36da257668ea

    SHA256

    c4337a365cde7bb5553ce4e1dbdaae734411eb918318c6df5c6222871a828b0b

    SHA512

    f8a3d2385b9565123ca7dd0b0dd377a401c4d3a0e6199ca0a154413efd76b6c8650361e92318fe341993b227ab096f5b938dd9d296dd6133eea1d6abbe959fe0

    Download Submit

  • C:\Windows\SysWOW64\hyjdyjzs.exe
    Filesize

    255KB

    MD5

    71d440198a2cb320c65b0108b364c8bd

    SHA1

    6feba010c18ff57b967d91e5e109b030bb107a4b

    SHA256

    2820b20c347b922049740449f74547d675d25c8a0fbf5c7294e2dcd04ee7e54f

    SHA512

    1964b526e6fa7ad57fb2ced5ac72161812b92fd0d6580cb099e38c3a4fec210db727e77c9afcca7cb8b77af034c604359c30eb7d16c98ead2c9a2d7a2a518aa9

    Download Submit

  • C:\Windows\SysWOW64\hyjdyjzs.exe
    Filesize

    255KB

    MD5

    71d440198a2cb320c65b0108b364c8bd

    SHA1

    6feba010c18ff57b967d91e5e109b030bb107a4b

    SHA256

    2820b20c347b922049740449f74547d675d25c8a0fbf5c7294e2dcd04ee7e54f

    SHA512

    1964b526e6fa7ad57fb2ced5ac72161812b92fd0d6580cb099e38c3a4fec210db727e77c9afcca7cb8b77af034c604359c30eb7d16c98ead2c9a2d7a2a518aa9

    Download Submit

  • C:\Windows\SysWOW64\hyjdyjzs.exe
    Filesize

    255KB

    MD5

    71d440198a2cb320c65b0108b364c8bd

    SHA1

    6feba010c18ff57b967d91e5e109b030bb107a4b

    SHA256

    2820b20c347b922049740449f74547d675d25c8a0fbf5c7294e2dcd04ee7e54f

    SHA512

    1964b526e6fa7ad57fb2ced5ac72161812b92fd0d6580cb099e38c3a4fec210db727e77c9afcca7cb8b77af034c604359c30eb7d16c98ead2c9a2d7a2a518aa9

    Download Submit

  • C:\Windows\SysWOW64\qmiilncdqrfegfu.exe
    Filesize

    255KB

    MD5

    895446e53bca76baed8e4b9f2a57c3ec

    SHA1

    a27c9e94eff550714fb964a43af8524cc2df37fc

    SHA256

    6ea84ff2c6b03c1827357934630a2633864826b7552cf5c287c57ac591e9a779

    SHA512

    fdd3e764c6f329c84c9ca171676e24b31f722df612c3e29f992d27119342f8ef9eb8826ba48b999c2704ecae3216fa60a380174f43c391c0410ce2f2dd0aec39

    Download Submit

  • C:\Windows\SysWOW64\qmiilncdqrfegfu.exe
    Filesize

    255KB

    MD5

    895446e53bca76baed8e4b9f2a57c3ec

    SHA1

    a27c9e94eff550714fb964a43af8524cc2df37fc

    SHA256

    6ea84ff2c6b03c1827357934630a2633864826b7552cf5c287c57ac591e9a779

    SHA512

    fdd3e764c6f329c84c9ca171676e24b31f722df612c3e29f992d27119342f8ef9eb8826ba48b999c2704ecae3216fa60a380174f43c391c0410ce2f2dd0aec39

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    46d81e122f253cd83c92510b03d48e59

    SHA1

    51b078071982b391bf8433ab3df86aac483ff39c

    SHA256

    73bbd7b03ee8f529ccebbab78529aa142fe3b531b17890fac6f6669ac5be9ccd

    SHA512

    251504357125266442f77729ac67d178532abbec8a98ff58a18866e6b69a62c0018bd77daf0f9139b530e1b7c8fd2524c80cd456c3235acef085e731fad9825f

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    b0464ebe4401c83dd9ea5f94baec23ca

    SHA1

    aa40f470ecfef7d1cb0876a7ec1b118fa0b5cd56

    SHA256

    e4a090e142820962178251d570daf2eed64048ce2dd9b493584523d51d161242

    SHA512

    d194cb597d0240ec643d3b266084211ce5e222e7ae72101df7e3fe3cb7eae64a93e25bfe934636252840b5b7db64dda17247cb869a72948aa733cd2bf7cf4818

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    b0464ebe4401c83dd9ea5f94baec23ca

    SHA1

    aa40f470ecfef7d1cb0876a7ec1b118fa0b5cd56

    SHA256

    e4a090e142820962178251d570daf2eed64048ce2dd9b493584523d51d161242

    SHA512

    d194cb597d0240ec643d3b266084211ce5e222e7ae72101df7e3fe3cb7eae64a93e25bfe934636252840b5b7db64dda17247cb869a72948aa733cd2bf7cf4818

    Download Submit

  • memory/540-147-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/540-178-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/540-166-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/540-139-0x0000000000000000-mapping.dmp

    Download

  • memory/640-145-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/640-164-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/640-133-0x0000000000000000-mapping.dmp

    Download

  • memory/1748-148-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1748-142-0x0000000000000000-mapping.dmp

    Download

  • memory/1748-167-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2008-165-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2008-136-0x0000000000000000-mapping.dmp

    Download

  • memory/2008-146-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2904-152-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2904-177-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2904-150-0x0000000000000000-mapping.dmp

    Download

  • memory/2904-168-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3920-155-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3920-161-0x00007FFD2D9C0000-0x00007FFD2D9D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3920-157-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3920-154-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3920-158-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3920-149-0x0000000000000000-mapping.dmp

    Download

  • memory/3920-162-0x00007FFD2D9C0000-0x00007FFD2D9D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3920-156-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3920-173-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3920-174-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3920-175-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3920-176-0x00007FFD2FEF0000-0x00007FFD2FF00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4956-132-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4956-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download